The Wall Street Journal and other news outlets warned last year about research that showed it was possible to coax Skype into revealing the IP addresses of individual Skype users. Most users however, still have no clue about this basic privacy weakness.

Since then a number of services have emerged to help snoops exploit this vulnerability to track and harass others online. For example, an online search for "skype resolver" returns dozens of results that point to services (of variable reliability) that allow users to look up the internet address of any Skype user, just by supplying the target's Skype account name.

Typically, these Skype resolvers are offered in tandem with "booter" or "stresser" services, online attack tools-for-hire to launch denial-of-service attacks (one of these services was used in an attack on KrebsOnSecurity, and on that of Ars Technica this month).

The idea being that if you want to knock someone offline but you don't know their internet address, you can simply search on Skype to see if they have an account, and then use the resolvers to locate their IP. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program's configuration panel.

Beyond exposing one's internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Advertisement

Many of these resolver services offer "blacklisting," which for a fee will allow users to prevent other users from looking up the IP address attached to a specific Skype account, said Brandon Levene, an independent security researcher.

"It's basically a protection scheme," Levene said.

Levene said the resolvers work by using a modified Skype client (version 5.5 or 5.9) to create a debug log. This client is hosted on a web server.

"A simple script is used to construct a link containing a Skype username, which is passed to the modified client," Levene said. "This client simply attempts to add the requested username to a contact list and parses the target account's 'information card' (if available). This process writes the IP address of the requested username to the debug log, in plain sight."

Skype was purchased by Microsoft in 2011, but Microsoft appears to have done little to address this privacy weakness, despite the attention brought to it and the proliferation of sites offering tools to exploit it.

"We are investigating reports of tools that capture a Skype user's last known IP address," a spokesperson for Skype said in an emailed statement. "This is an ongoing, industry-wide issue faced by all peer-to-peer software companies."

The simplest way to address these privacy issues would be to relay all Skype signalling traffic (known in telecommunications circles as 'handshakes') through proxies which disguise the original address, said Stevens Le Blond, a researcher at the Max Planck Institute for Software Systems in Germany.

"That would prevent low-resource third parties, such as resolvers, to track Skype users," Le Blond wrote in an email to KrebsOnSecurity. "However, despite a major infrastructure upgrade last year, Skype is still vulnerable to location tracking. One can only hypothesise as to why that is the case. One possibility is that relaying all signalling traffic would break interoperability with earlier versions of Skype."

Defending against more powerful attackers able to eavesdrop on internet links is much more challenging because it requires to relay both signalling and encrypted payload traffic, Le Blond said.

"One challenge is that the maximum Round Trip Time (RTT) that VoIP users can tolerate is around 300 milliseconds (ms) whereas the propagation delay in a fiber optical cable spanning the circumference of the planet is approximately 200ms. It means that when a user in Germany calls another one in Australia, the proxy service must incur less than 100ms additional RTT. My team and I are currently working on this problem."